At Microsoft, we believe customers deserve to understand our policies for responding to government requests for their data. This transparency also helps inform policymakers as they work to modernize laws that impact our customers. In addition to the detailed frequently asked questions (FAQs) below, there are some core policies we adhere to across our services:
- Microsoft does not provide any government with direct and unfettered access to our customers’ data, and we do not provide any government with our encryption keys or the ability to break our encryption.
- If a government wants customer data, it must follow applicable legal process. It must serve us with a warrant or court order for content, or a subpoena for subscriber information or other noncontent data.
- All requests must target specific accounts and identifiers.
- Microsoft’s legal compliance team reviews all requests to ensure they are valid, rejects those that are not valid, and only provides the data specified.
Our Law Enforcement Request Report and U.S. National Security Order Report are updated every six months and show that the vast majority of our customers are never impacted by government requests for data.
Frequently asked questions
- Why do you screen government requests for customer data?
- What is the process for disclosing customer information in response to government legal demands?
- Why does Microsoft reject a government request?
- Is rejecting a request the only way Microsoft resists government requests?
- Does Microsoft reject U.S. subpoenas from government entities seeking content data?
- How does Microsoft consider potential human rights issues impacted by law enforcement requests?
- Does Microsoft provide any data to governments absent a formal legal request?
- How does Microsoft determine what countries can request data?
- Does Microsoft notify users of its consumer services, such as Outlook.com, when law enforcement or another governmental entity in the U.S. requests their data?
- Does Microsoft notify its enterprise customers when law enforcement or another governmental entity requests their data?
- Does Microsoft disclose additional data as a result of the CLOUD Act?
- Does Microsoft notify users if their accounts have been compromised by third parties or state-sponsored actors?
- Does Microsoft ever challenge nondisclosure obligations or gag orders?
- How many enterprise cloud customers are impacted by law enforcement requests?
- What services are subject to law enforcement requests?
- Did you participate in the PRISM program disclosed by Edward Snowden?
- Do you give the U.S. government direct access to Skype and Outlook.com data flows as suggested by some stories reporting on documents released by Edward Snowden?
- Where does Microsoft deploy encryption and what level of encryption do you use?
- Why don’t you use encryption universally?
- What do you do with encryption keys?
- Does Microsoft build back doors into its products?
- What laws apply to Microsoft customer records and content?
- What are “content” and “noncontent” data?
- Does Microsoft provide customer data in response to legal demands from civil litigation parties?
- Does Microsoft charge governments for providing data and content?
- How does Microsoft define a FISA order seeking disclosure of content?
- How does Microsoft define a FISA order requesting disclosure of noncontent?
- How does Microsoft define the accounts impacted that it reports?
- Does Microsoft ever remove online content at the request of a government or other parties?
- What is Microsoft doing to combat revenge porn content on its services?
- Does Microsoft monitor for images of online child exploitation?
- How is Microsoft countering terrorist content? Does Microsoft monitor for or remove terrorist content across its services?
- Who makes the decision to remove terrorist content?
Q: Why do you screen government requests for customer data?
A: Governments play a critical role in keeping the public safe. Microsoft has a team that works around the clock to respond rapidly when governments’ requests are legal and valid. Governments had legal means to access people’s personal information before modern technology and the same is true today. At the same time, we believe our customers deserve predictability in how and when the government can access their data, and it should be up to national laws and agreed-upon human rights standards — not the discretion of any company — to determine where the line is drawn. By only responding to valid legal process, we strive to offer customers clear expectations for what happens with their data.
Q: Why does Microsoft reject a government request?
A: There are many reasons why Microsoft may reject or challenge a request. For example, we might reject a request if it exceeds the authority or jurisdiction of the requesting agency. We may also reject a request if it is not signed or not appropriately authorized, contains the wrong dates, is not properly addressed, contains material mistakes, or is overly broad.
Q: What is the process for disclosing customer information in response to government legal demands?
A: Microsoft requires an official, signed document issued pursuant to local law and rules. Specifically, we require a subpoena or equivalent before disclosing non-content, and only disclose content to law enforcement in response to a warrant (or its local equivalent). Microsoft’s compliance team reviews government demands for customer data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.
Q: Is rejecting a request the only way Microsoft resists government requests?
A: No. Sometimes we seek to narrow the scope of requests. When a request addresses our commercial services, we always attempt to redirect the government to obtain the information directly from our customer. Except in the most limited circumstances, we believe that government agencies can go directly to business or government customers for information about one of their employees — just as they did before these customers moved to the cloud — and that they can do so without undermining their investigation or national security. If needed, we may also file a formal legal challenge in court seeking to modify or quash a legal order.
Q: Does Microsoft reject U.S. subpoenas from government entities seeking content data?
A: Yes. We require a court order or warrant before we will consider releasing content. Like other companies, we’ve implemented the holding of U.S. v. Warshak, which says that email users maintain a reasonable expectation of privacy in the content of their emails.
Q: How does Microsoft consider potential human rights issues impacted by law enforcement requests?
A: Our Global Human Rights Statement outlines our commitment to respect the human rights of our customers. By verifying law enforcement entities followed the laws and procedures in their jurisdictions before we respond to a request, we seek to ensure we are disclosing customer data only in authorized criminal investigations.
Q: Does Microsoft provide any data to governments absent a formal legal request?
A: We do this only in limited circumstances. Pursuant to U.S. law, we are required to report identified or suspected images exploiting children to the U.S. National Center for Missing and Exploited Children (NCMEC). On occasion, we also report some limited information about a user when we have reason to believe the individual is about to harm themselves or someone else due to a public posting on one of our forums, on Xbox LIVE, or through referrals from other customers. If one of our customers or employees, or Microsoft itself, is the victim of a crime, we may report some limited information to law enforcement. Additionally, consistent with applicable law and industry practice, Microsoft sometimes discloses limited information to law enforcement where we believe the disclosure is necessary to prevent an emergency involving danger of death or serious physical injury to a person. Microsoft considers emergency requests from law enforcement agencies around the world, and requires these requests be in writing on official letterhead, signed by a law enforcement authority. The request must contain a summary of the emergency, along with an explanation of how the information sought will assist law enforcement in addressing the emergency. Each request is carefully evaluated by Microsoft’s compliance team before any data is disclosed, and the disclosure is limited to the data that we believe would enable law enforcement to address the emergency. Some of the most common emergency requests involve suicide threats and kidnappings. Every six months, we publish information about the emergency requests we receive here.
Q: How does Microsoft determine what countries can request data?
A: Microsoft produces data in response to valid legal requests from governmental entities in countries where we host the requested data. We conduct a local legal review of each request we receive against local laws and standards. We also periodically review our screening processes around the world to ensure local judicial procedures are being followed and our global human rights statement is being applied.
Q: Does Microsoft notify users of its consumer services, such as Outlook.com, when law enforcement or another governmental entity in the U.S. requests their data?
A: Yes. Microsoft gives prior notice to users whose data is sought by a law enforcement agency or other governmental entity, except where prohibited by law. We may withhold notice in exceptional circumstances, such as emergencies where notice could result in danger (e.g., child exploitation investigations), or where notice would be counterproductive (e.g., where the user’s account has been hacked). Microsoft also provides delayed notice to users upon expiration of a valid and applicable nondisclosure order unless Microsoft, in its sole discretion, believes that providing notice could result in danger to identifiable individuals or groups or be counterproductive.
Q: Does Microsoft notify its enterprise customers when law enforcement or another governmental entity requests their data?
A: Yes. Microsoft gives prior notice to its enterprise customers of any third-party requests for their data, except where prohibited by law. We also provide our enterprise customers with notice upon expiration of a valid and applicable nondisclosure order. Except in the most limited circumstances, we believe governments can obtain information directly from our enterprise customers without jeopardizing investigations or risking harm to individuals, just as they did before the customer moved to the cloud. For the same reason, we believe that our enterprise customers can, except in the most exceptional circumstances, be notified about government requests for their data.
Q: Does Microsoft disclose additional data as a result of the CLOUD Act?
A: No. The CLOUD Act amends U.S. law to make clear that law enforcement may compel U.S.-based service providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located. This law, however, does not change any of the legal and privacy protections that previously applied to law enforcement requests for data – and those protections continue to apply. Microsoft adheres to the same principles and customer commitments related to government demands for user data.
In the first half of 2018, Microsoft received 4,948 legal demands for consumer data from law enforcement in the United States. Since the introduction of the CLOUD Act in March 2018, 133 warrants sought data which was stored outside of the United States. In the same time frame, Microsoft received 34 legal demands from law enforcement in the United States for commercial enterprise customers who purchased more than 50 seats. Of those demands, 1 warrant sought data which was stored outside of the United States.
Q: Does Microsoft notify users if their accounts have been compromised by third parties or state-sponsored actors?
A: In December 2015 we announced that we now notify customers if we have evidence they have been the target of an attempted “state-sponsored” attack. These notifications do not mean that Microsoft’s own systems have in any way been compromised.
Q: Does Microsoft ever challenge nondisclosure obligations or gag orders?
A: Microsoft sometimes receives requests that prohibit us from notifying our customers. In some cases, we seek permission to notify our customer or even challenge the gag order. For example, in one case, Microsoft challenged a National Security Letter (NSL) pertaining to an enterprise customer because it included a gag order. As a result of the legal challenge, the government withdrew the NSL and was able to obtain the data directly from the customer without compromising the integrity of its investigation. Microsoft recently challenged the U.S. government in court again, arguing that the Justice Department routinely uses overly broad and indefinite gag orders that prevent us from ever notifying customers of requests for their data. We believe that with rare exceptions consumers and businesses have a right to know when the government accesses their emails or records, and we’re asking the court to address the matter. More information about that lawsuit can be found here.
Q: How many enterprise cloud customers are impacted by law enforcement requests?
A: In the first half of 2018, Microsoft received 50 requests from law enforcement for accounts associated with enterprise cloud customers. In 32 cases, these requests were rejected, withdrawn, or law enforcement was successfully redirected to the customer. In 18 cases, Microsoft was compelled to provide responsive information: 10 of these cases required the disclosure of some customer content and in 8 of the cases we were compelled to disclose noncontent information only.
Q: What services are subject to law enforcement requests?
A: As our law enforcement requests reports have shown, the overwhelming majority of requests seek information related to our free consumer services. By comparison, we have received very few requests for data associated with use of our commercial services used by enterprise customers.
Q: Did you participate in the PRISM program disclosed by Edward Snowden?
A: No. When PRISM was reported we released a statement that said, “We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition, we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.” Since issuing that statement, the Director of National Intelligence released clarifications that explained PRISM was not a voluntary program but rather an internal government computer system to process targeted data collected through valid legal orders.
Q: Do you give the U.S. government direct access to Skype and Outlook.com data flows as suggested by some stories reporting on documents released by Edward Snowden?
A: We’ve been clear about this. We do not provide any government with direct access to emails or instant messages. Full stop. Like all providers of communications services, we are sometimes obligated to comply with lawful demands from governments to turn over content for specific accounts, pursuant to a search warrant or court order. Some documents disclosed in the summer of 2013 were interpreted to suggest we made product changes to enable greater government access to customer communication. There were significant inaccuracies in the interpretations of these leaked government documents, and the product changes referenced did not facilitate greater government access to audio, video, messaging, or any other customer data.
Q: Where does Microsoft deploy encryption and what level of encryption do you use?
A: We announced in 2013 that we would increase encryption across our services both when data is traveling and when it is at rest, and we’ve provided updates along the way. Details on the encryption deployed in our products are regularly updated and can often be viewed by visiting the website associated with that product.
Q: Why don’t you use encryption universally?
A: Many of our products use end-to-end encryption or deploy encryption extensively. We invest in encryption because it protects our customers from a range of threats including cybercrime. However, sometimes our customers wish to deploy technologies to fight cybercrime that require content to be decrypted in a secure environment somewhere in the process. For example, some customers may wish to run enterprise software that scans emails to detect phishing attacks or malicious code. Customers may also wish to take advantage of features like real-time language translation in Skype calls, which require us to temporarily and securely decrypt data. Our approach is to give customers choices while continuously working to improve encryption and other security measures so they can be applied broadly.
Q: What do you do with encryption keys?
A: We do not provide any government with our encryption keys or the ability to break our encryption. In most cases, our default is for Microsoft to securely store our customers’ encryption keys. Even our largest enterprise customers usually prefer we keep their keys to prevent accidental loss or theft. However, in many circumstances we also offer the option for consumers or enterprises to keep their own keys, in which case Microsoft does not maintain copies.
Q: Does Microsoft build back doors into its products?
A: Microsoft does not build backdoors into any of its products. We’ve been clear that we do not provide direct, unfettered access to customer data, and history shows we have a track record of declining requests to give voluntary access to customer data.
Q: What laws apply to Microsoft customer records and content?
A: For data hosted in the U.S., Microsoft follows the Electronic Communications Privacy Act. We require at least a subpoena before turning over noncontent records, such as basic subscriber information or IP connection history, and we require a court order or warrant before producing content. Irish law and European Union directives apply to the Hotmail and Outlook.com accounts hosted in Ireland. Skype is a wholly owned, but independent division of Microsoft, headquartered in and operating pursuant to Luxembourg law.
Q: What are “content” and “noncontent” data?
A: Noncontent data includes basic subscriber information, such as email address, name, state, country, ZIP code, and IP address at time of registration. Other noncontent data may include IP connection history, an Xbox Gamertag, and credit card or other billing information. We require a valid legal demand, such as a subpoena or court order, before we will consider disclosing noncontent data to law enforcement. Content is what our customers create, communicate, and store on or through our services, such as the words in an email exchanged between friends or business colleagues or the photographs and documents stored on OneDrive (formerly called SkyDrive) or other cloud offerings such as Office 365 and Azure. We require a court order or warrant before we will consider disclosing content to law enforcement.
Q: Does Microsoft provide customer data in response to legal demands from civil litigation parties?
A: Microsoft receives legal demands for customer data from civil litigation parties around the world. Microsoft does not respond to private requests other than those received through a valid legal process. Microsoft adheres to the same principles for all requests from civil proceeding legal requests as it does for government agencies requests for user data, requiring nongovernmental civil litigants to follow the applicable laws, rules and procedures for requesting customer data.
If a nongovernmental party wants customer data, it needs to follow applicable legal process — meaning, it must serve us with a valid subpoena or court order for content or subscriber information or other noncontent data. For content requests, we require specific lawful consent of the account owner and for all requests we provide notice to the account owner unless prohibited by law from doing so. We require that any requests be targeted at specific accounts and identifiers. Microsoft’s compliance team reviews civil proceeding legal requests for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order. A summary of Microsoft’s responses to civil litigation requests for customer data is included in the transparency reports we publish every six months.
Q: Does Microsoft charge governments for providing data and content?
A: Sometimes. Pursuant to U.S. law, Microsoft is entitled to seek reimbursement for costs associated with compliance with a valid legal demand. We only charge in an attempt to recover some costs associated with the need to comply with U.S. legal demands. To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders. We do not, however, charge in emergency situations or in known child exploitation investigations. For additional information about how we use and protect customer information, please read the Microsoft Privacy Statement.
Q: How does Microsoft define a FISA order seeking disclosure of content?
A: This category would include any FISA electronic surveillance orders (50 U.S.C. § 1805), FISA search warrants (50 U.S.C. § 1824), and FISA Amendments Act directives or orders (50 U.S.C. §1881 et seq.) that were received or active during the reporting period.
Q: How does Microsoft define a FISA order requesting disclosure of noncontent?
A: This category would include any FISA business records (50 U.S.C. § 1861), commonly referred to as 215 orders, and FISA pen register and trap and trace orders (50 U.S.C. § 1842) that were received or active during the reporting period.
Q: How does Microsoft define the accounts impacted that it reports?
A: The number of user accounts impacted by FISA orders that were received or active during the period of time. Since individuals may have multiple accounts across different Microsoft services — all of which are counted separately to determine the number of accounts impacted — this number will likely overstate the number of individuals subject to government orders.
Q: Does Microsoft ever remove online content at the request of a government or other parties?
A: Yes. Microsoft periodically receives requests to remove content from its online products or services in accordance with four specific requests for content removal:
- Requests from European residents or Russian residents to filter search results about them on Bing for queries that include their names under the European Court of Justice’s 2014 “Right to Be Forgotten” ruling or under amendments to Russia’s data protection law, respectively
- Requests from copyright owners to Bing claiming infringement of protected works
- Requests from individuals to remove “nonconsensual pornography,” also referred to as “revenge porn,” which is the sharing of nude or sexually explicit photos or videos online without consent
More information about content removal requests can be found in the Content Removal Requests Report, which is updated biannually on our Transparency Hub.
Q: What is Microsoft doing to combat revenge porn content on its services?
A: As a first step, we pledged to remove links to photos and videos from search results in Bing, and remove access to the content itself when shared on OneDrive or Xbox Live, when we are notified by a victim. People can report content to us via this form.
We are committed to working with leaders and experts worldwide on this subject, and continue to work on improving our reporting mechanisms and processes. To learn more about online safety generally, see our website and resources.
Q: Does Microsoft monitor for images of online child exploitation?
A: Child pornography violates the law as well as our terms of service, which makes clear that we use automated technologies to detect abusive behavior that may harm our customers or others. In 2009, we helped develop PhotoDNA, a technology to disrupt the spread of exploitative images of children, which we report to the National Center for Missing and Exploited Children as required by law.
Q: How is Microsoft countering terrorist content? Does Microsoft monitor for or remove terrorist content across its services?
A: Although Microsoft does not run any of the leading social networks or video-sharing sites, from time to time, terrorist content may be posted to or shared on our Microsoft-hosted consumer services.
In December 2016, Microsoft joined with three other companies — Facebook, Twitter and YouTube — in a coalition to create an industry hash-sharing database of the most violent terrorism imagery. Images and videos that are reported to us and are identified as terrorist content on our hosted consumer services are removed, hashed and contributed to the industry database. We’ve also partnered with the Institute for Strategic Dialogue (ISD) on a pilot project to better enable nongovernmental organizations (NGOs) to surface and serve impactful counter-narrative content via advertisements on Bing. To learn more about countering violent extremism, visit the ISD website.
Terrorism is one of the truly urgent issues of our time. We are committed to doing our part to help address the use of technology to promote it or to recruit to its causes. To learn more about our efforts, please read our blog on Microsoft’s approach to terrorist content.
Q: Who makes the decision to remove terrorist content?
A: Microsoft uses a “notice-and-takedown” process for removal of prohibited, including terrorist, content. When terrorist content on our hosted consumer services is brought to our attention via our online reporting tool, we will remove it. All reporting of terrorist content — from governments, concerned citizens or other groups — on any Microsoft service should be reported to us via this form.